Sign in Subscribe

Automate VMware UAG SSL certificates - VMware Horizon

A guide to automate adding Let's Encrypt certificates to VMware UAG using Certbot renewal-hooks via UAG API.

Gregg

1 min read
Automate VMware UAG SSL certificates - VMware Horizon
Photo by Hal Gatewood / Unsplash

Let's Encrypt is a good free option for certificates. A lot of environments will set up automated renewals using Certbot. This script automatically updates the SSL certificates on a VMware UAG appliance with a hook on each Certbot renewal.

Dependencies:

JQ - https://jqlang.github.io/jq/manual/

Install Ubuntu/Debian

apt-get update
apt-get install jq
jq --version

Install on a RHEL variant

yum install epel-release -y
yum install jq
jq --version

Create a new file /etc/letsencrypt/live/uag.domain.com/uagsslupdate.sh. Take note to the names that need updated to match your environment.

#!/bin/bash

# Define variables
domain=uag.domain.com
uagserver="10.0.0.5"
username="admin"
password="passwordhere"

# Ingest the certificates and output to single line variables
lefullchain=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /etc/letsencrypt/live/$domain/fullchain.pem)

leprivatekey=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /etc/letsencrypt/live/$domain/privkey.pem)


# convert to json using jq, output to file
jq -n --arg pk "$leprivatekey" --arg cc "$lefullchain" '{privateKeyPem: $pk, certChainPem: $cc'} > /tmp/ssl.json

# Fix the \\ to \ in the json file

sed -i 's,\\\\,\\,g' /tmp/ssl.json

# CURL put the json to the UAG appliance using the API
# End user
curl --silent --output /dev/null -k -d @- -u $username:"$password" -i -H "Content-Type: application/json" -X PUT https://$uagserver:9443/rest/v1/config/certs/ssl/END_USER < /tmp/ssl.json
# Admin
curl --silent --output /dev/null -k -d @- -u $username:"$password" -i -H "Content-Type: application/json" -X PUT https://$uagserver:9443/rest/v1/config/certs/ssl/ADMIN < /tmp/ssl.json

# Cleanup
rm -f /tmp/ssl.json

/etc/letsencrypt/live/uag.domain.com/uagsslupdate.sh

Add a renewal hook to the Certbot configuration for your UAG Certificate renewal /etc/letsencrypt/renewal/uag.domain.com.conf

[renewalparams]
renew_hook = /etc/letsencrypt/live/uag.domain.com/uagsslupdate.sh